Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

[RebeccaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

I know it's not the fault of mumsnet but I can't help feeling that they have failed members here.

Sod the "we didn't want to be alarmist" - safety HAS to come first each and every time.

Some members here are extremely vulnerable in rl.

More action should have been taken to protect people . I feel really angry about it tbh.

I am logging into the website via my phone. It's showing but not in green or yellow. How can I tell if it's secure?

MagicalMrs not on list

Yup Heman I'm afraid so. And it looks like he has hacked someone elses account called DadSec as its got pictures of someones child and hasn't been used in nearly a year.

we were getting misplaced reassurance at one stage - now we're getting nothing. so i'm assuming all bets are off really.

Anyone that was involved in the 'secret santa' or 'janet and roy' etc passed their home addresses on and may have their addresses still in people's inboxes....

I think you should shut the site down for a while. They can access anything and you have been economical with facts in the past week, breaking trust.

I also want to know if the gift you were given before you reset passwords was the later published list.

It's rubbish they did this to us all. I don't blame mnhq for the hacking.

theconstantvacuumer - click on " share" to get the url

and NO people can't go into work late or not realise what's happening when they are mid security crisis and store hundreds of thousands of peoples data lol. as if you can just go oh well, it's london, maybe they went to work late, could've been tube delays.

Calm down. I didn't say they were getting there late. I said they may start later as MNHQ is in London and if they have children to drop at childcare they may not be able to get to work earlier for example.

Seriously calm down. This will resolve itself.

I'm on the list, I've changed my password.

If I leave MN and rejoin from a different email address (with a different username) is that allowed?

Janet and Roy cards were addressed to not very bright relatives.

There's no padlock.

I usually use the app but had to go onto the website via Safari to change my password. I thought it was secure but now I don't know and am worrying I've just fed my login details to Jeffrey. Gah!

I agree, the whole site should be shut down until it's made secure. I'd even go so far as to say all accounts should be scrubbed and everyone forced to deregulated.

I'm not on the list am I ?

and i pointed out a professional business in the middle of security breakdown doesn't operate like that littlebear. please don't tell me to calm down - feeling a security breach is being handled terribly and people's data is being left at risk does not make me 'uncalm'.

What a complete and utter arsehole to do this.

I'm on 'the list', but am more worried about some of the other names I can see on there, who have been posting about really sensitive subjects and circumstances.

What a fucking tosspot. I can take a pretty good guess at what we'll see in the press when they catch up with you, you fucking no-mark. You need help if this is how you get your kicks. Think about your own mum and think about her when she was in her darkest hour - and then think about some self indulgent little creep putting her deliberately in harms way. That's what you have done to some of these people. I hope they throw the book at you, you complete loser.

if you de reg and start a new account ALL of the info of your old account re: posting history, messages etc will still be there for them to access. you'd have to get your posting history deleted and mn is generally pretty reluctant to do this.

short of deleting everything at this point the only way to guarantee people's data protection is to take the whole thing offline.

Thanks Saymwa but I can't see anything 'share' option (Luddite emoticon)

Deckthehallswithjammydodgers not on list.

Sorry to be annoying but is there anyway someone could check if I am on the list please? Many thanks.

Does anyone know anything about complaining to Twitter?

I just reported his posts, just as I was looking at it really, and received an email back from Twitter saying they won't respond to my complaint unless I send them a copy of my passport or a household bill?!

Someone on FB is saying she's on the list with a very old username that she hasn't used for years. With a password she hasn't used for years.

So MNHQ, how have they got that? Because it wasn't through phishing if she hasn't used it for years!

MissDuke is on list.

Thank you

No your posting style makes you uncalm.

In the middle of an IT security breach the Tech people will have been asked to arrive ASAP. Even in that case real life may make that difficult.

The community team may have been asked to come in early but again may not be able to again because of real life; once they arrived they will have been dealing with vast numbers of emails.

And perhaps it would be better for MNHQ to come onto this thread when they actually have something useful to tell us. Speculation in the meantime doesn't help.

I looked up the list and I was on it

I do not understand how this was a phishing hack... Can someone please explain? I used to work closely with IT and regard myself as reasonably Tech savvy, and cannot think how my account has been compromised via phishing.

Am I missing something? Can someone explain what the phishing would have looked like?

Also, my password listed was one from a couple of weeks ago I think.